Back to Top

Thursday, November 30, 2006

The hidden capabilities of windows firewall

Windows, beginning with XP SP2 contains a decent firewall. It doesn't have leak prevention or outbound connection filtering. However it does have: inbound connection filtering, ICMP filtering, a default deny policy, GUI and command line interface, configuration using group policy and something I discovered only recently: limiting a certain rule with multiple IP / netmasks (up to around 10). It also comes preinstalled with the OS.

What this means that you can open up a given service only to the people who need to access it. This provides an additional security layer. Why make it possible for the entire world to brute-force your SSH account? Drop them at the firewall! This doesn't replace a good password, but is an additional layer of security

Some more random firewall related advice:

Port based rules are preferable to application based rules, because with them you enable one port with one protocol (TCP or UDP) for a given set of IP addresses, while if you use application based rules, every port for that given application will be enabled. This is important for application which open up multiple ports (for example an FTP server which has also a web administration interface or Apache, which opens up a port for HTTP and one for HTTPS).

Configure the binding address / listening address for servers correctly. For example:

  • If your computer is multi-homed (it has multiple network interfaces), by default most of the servers will listen on all the interfaces. If you need them to listen on only one of the interfaces, specify it as the binding address. Also limit the access from the firewall to that particular subnet (remember, multiple layers of security!)
  • Usually you can specify the listening address in the form of <ip address>:<port>. If you use 0.0.0.0 for the ip address, the server will listen on all the interfaces (not recommended!). If you specify 127.0.0.1, it will listen only on the loopback interface. This is a special virtual interface which you can connect to only from the local computer. This is the recommended configuration for administration interfaces. database servers and any other service you only want to connect to locally (or using an SSH tunnel, which from the programs point of view is a local connection).

Here are some further references:

And remember, if you want to change the listening port for remote desktop for an additional layer of security on a machine you don't have physical access to and you don't want to call technical support, the correct order of steps is (which I learned the hard way :)):

  1. Open the new port you selected on the firewall for TCP connections.
  2. Verify that you can access that port using a tool like netcat of TTCP
  3. Change the registry
  4. Reboot the computer and pray that it comes up :)
  5. Connect on the new port to remote desktop
  6. Remove the rule for the old port

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.